从 jenkins docker ecs 容器中访问 ecr 图像
access ecr images from within jenkins docker ecs container
你好 Jenkins / Docker 专家 -
有效的东西:
使用建议的方法 here,我能够在 AWS ECS 集群中获取 Jenkins docker 图像 运行。为 docker 套接字 (/var/run/docker.sock) 和 docker (/usr/bin/docker) 使用 -v volume mount 我能够从 Jenkins 内部访问 docker 进程容器也是。
不是的东西:
我面临的最后一个问题是从 AWS ECR Registry 拉取/推送图像。当我尝试执行 docker pull / push 命令时,我以 - no basic auth credentials.
结束
我无意中发现了这个 link explaining my problem。但是,我无法使用此处建议的解决方案,因为主机中没有 ~/.docker/config.json 可与 Jenkins docker 容器共享。
有什么建议吗?
Amazon ECR users require permissions to call ecr:GetAuthorizationToken
before they can authenticate to a registry and push or pull any images
from any Amazon ECR repository. Amazon ECR provides several managed
policies to control user access at varying levels; for more
information, see ecr_managed_policies
AmazonEC2ContainerRegistryPowerUser
此托管策略允许高级用户访问 Amazon ECR,这允许对存储库进行读写访问,但不允许用户删除存储库或更改应用于它们的策略文档。
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}]
}
因此,不要使用 ~/.docker/config.json,而是将上述策略角色分配给您的 ECS 任务 和您的 docker 容器服务将能够从 ECR 推送拉取镜像。
任务的 IAM 角色
With IAM roles for Amazon ECS tasks, you can specify an IAM role that
can be used by the containers in a task. Applications must sign their
AWS API requests with AWS credentials, and this feature provides a
strategy for managing credentials for your applications to use,
similar to the way that Amazon EC2 instance profiles provide
credentials to EC2 instances. Instead of creating and distributing
your AWS credentials to the containers or using the EC2 instance’s
role, you can associate an IAM role with an ECS task definition or
RunTask API operation. The applications in the task’s containers can
then use the AWS SDK or CLI to make API requests to authorized AWS
services.
使用 IAM 角色执行任务的好处
Credential Isolation: A container can only retrieve credentials for
the IAM role that is defined in the task definition to which it
belongs; a container never has access to credentials that are intended
for another container that belongs to another task.
Authorization: Unauthorized containers cannot access IAM role
credentials defined for other tasks.
Auditability: Access and event logging is available through CloudTrail
to ensure retrospective auditing. Task credentials have a context of
taskArn that is attached to the session, so CloudTrail logs show which
task is using which role.
但是你必须运行上面提到的这个命令来获取授权令牌。
eval $(aws ecr get-login --no-include-email)
你会得到类似
的回复
Login Succeeded
现在,一旦您从 ECR 获得授权令牌,您就可以推送拉取镜像。
docker push xxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/nodejs:test
你好 Jenkins / Docker 专家 -
有效的东西:
使用建议的方法 here,我能够在 AWS ECS 集群中获取 Jenkins docker 图像 运行。为 docker 套接字 (/var/run/docker.sock) 和 docker (/usr/bin/docker) 使用 -v volume mount 我能够从 Jenkins 内部访问 docker 进程容器也是。
不是的东西:
我面临的最后一个问题是从 AWS ECR Registry 拉取/推送图像。当我尝试执行 docker pull / push 命令时,我以 - no basic auth credentials.
我无意中发现了这个 link explaining my problem。但是,我无法使用此处建议的解决方案,因为主机中没有 ~/.docker/config.json 可与 Jenkins docker 容器共享。
有什么建议吗?
Amazon ECR users require permissions to call ecr:GetAuthorizationToken before they can authenticate to a registry and push or pull any images from any Amazon ECR repository. Amazon ECR provides several managed policies to control user access at varying levels; for more information, see ecr_managed_policies
AmazonEC2ContainerRegistryPowerUser
此托管策略允许高级用户访问 Amazon ECR,这允许对存储库进行读写访问,但不允许用户删除存储库或更改应用于它们的策略文档。
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:InitiateLayerUpload",
"ecr:UploadLayerPart",
"ecr:CompleteLayerUpload",
"ecr:PutImage"
],
"Resource": "*"
}]
}
因此,不要使用 ~/.docker/config.json,而是将上述策略角色分配给您的 ECS 任务 和您的 docker 容器服务将能够从 ECR 推送拉取镜像。
任务的 IAM 角色
With IAM roles for Amazon ECS tasks, you can specify an IAM role that can be used by the containers in a task. Applications must sign their AWS API requests with AWS credentials, and this feature provides a strategy for managing credentials for your applications to use, similar to the way that Amazon EC2 instance profiles provide credentials to EC2 instances. Instead of creating and distributing your AWS credentials to the containers or using the EC2 instance’s role, you can associate an IAM role with an ECS task definition or RunTask API operation. The applications in the task’s containers can then use the AWS SDK or CLI to make API requests to authorized AWS services.
使用 IAM 角色执行任务的好处
Credential Isolation: A container can only retrieve credentials for the IAM role that is defined in the task definition to which it belongs; a container never has access to credentials that are intended for another container that belongs to another task.
Authorization: Unauthorized containers cannot access IAM role credentials defined for other tasks.
Auditability: Access and event logging is available through CloudTrail to ensure retrospective auditing. Task credentials have a context of taskArn that is attached to the session, so CloudTrail logs show which task is using which role.
但是你必须运行上面提到的这个命令来获取授权令牌。
eval $(aws ecr get-login --no-include-email)
你会得到类似
的回复Login Succeeded
现在,一旦您从 ECR 获得授权令牌,您就可以推送拉取镜像。
docker push xxxxxxxxxxx.dkr.ecr.us-west-2.amazonaws.com/nodejs:test